Skip to content

use GIT_ACCESS_TOKEN instead of GH_PAT #80

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
MonPote wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

use GIT_ACCESS_TOKEN instead of GH_PAT #80

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d0a83f
use GIT_ACCESS_TOKEN instead of GH_PAT
MonPote Feb 13, 2026
b66d624
hide token in a secret during docker build
MonPote Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ on:
required: true
type: boolean
secrets:
GH_PAT:
GIT_ACCESS_TOKEN:
description: "A GitHub PAT with permissions to read the private repository."
required: true

Expand Down Expand Up @@ -85,12 +85,13 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
GH_TOKEN=${{ secrets.GH_PAT }}
PRIVATE_REPO_HOST=github.com/scality
BUILD_DATE=${{ fromJson(steps.meta.outputs.json)['org.opencontainers.image.created'] }}
GIT_COMMIT=${{ github.sha }}
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
VERSION=${{ inputs.version || github.sha }}
secrets: |
gh_token=${{ secrets.GIT_ACCESS_TOKEN }}

- name: Generate GitHub SLSA provenance
uses: actions/attest-build-provenance@v1
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
uses: ./.github/actions/setup-go-private
with:
go-version: ${{ env.GO_VERSION }}
gh-token: ${{ secrets.GH_PAT }}
gh-token: ${{ secrets.GIT_ACCESS_TOKEN }}

- name: Run tests
run: make test
Expand All @@ -63,7 +63,7 @@ jobs:
version: ${{ needs.precheck.outputs.tag }}
push-image: true
secrets:
GH_PAT: ${{ secrets.GH_PAT }}
GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}

upload-crds:
runs-on: ubuntu-24.04
Expand All @@ -81,7 +81,7 @@ jobs:
uses: ./.github/actions/setup-go-private
with:
go-version: ${{ env.GO_VERSION }}
gh-token: ${{ secrets.GH_PAT }}
gh-token: ${{ secrets.GIT_ACCESS_TOKEN }}

- name: Package CRDs
run: make package-crds VERSION=${{ needs.precheck.outputs.tag }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
uses: ./.github/actions/setup-go-private
with:
go-version: ${{ env.GO_VERSION }}
gh-token: ${{ secrets.GH_PAT }}
gh-token: ${{ secrets.GIT_ACCESS_TOKEN }}

- name: Install dependencies
run: go mod download
Expand All @@ -35,7 +35,7 @@ jobs:
with:
push-image: true
secrets:
GH_PAT: ${{ secrets.GH_PAT }}
GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}

e2e:
name: E2E Tests
Expand All @@ -54,7 +54,7 @@ jobs:
uses: ./.github/actions/setup-go-private
with:
go-version: ${{ env.GO_VERSION }}
gh-token: ${{ secrets.GH_PAT }}
gh-token: ${{ secrets.GIT_ACCESS_TOKEN }}

- name: Login to Registry
uses: docker/login-action@v3
Expand Down
17 changes: 9 additions & 8 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# Build the manager binary
FROM golang:1.24 AS builder

ARG GH_TOKEN

ARG PRIVATE_REPO_HOST=github.com/scality

ARG TARGETOS
Expand All @@ -12,16 +10,19 @@ WORKDIR /workspace

RUN go env -w GOPRIVATE=${PRIVATE_REPO_HOST}

RUN if [ -z "$GH_TOKEN" ]; then echo "GH_TOKEN is missing"; exit 1; fi && \
git config --global url."https://oauth2:${GH_TOKEN}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"

# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum

# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
# Cache deps before building and copying source. Use BuildKit secret for GH_TOKEN so it
# never appears in build args or image history. Pass with: --secret id=gh_token,env=GH_TOKEN
Comment on lines +17 to +18
Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline instructions still reference GH_TOKEN/GH_TOKEN env, but this PR switches CI to GIT_ACCESS_TOKEN and the mounted secret id is gh_token. Update this comment so local build instructions match the new secret name/source and don’t mislead users.

Suggested change
# Cache deps before building and copying source. Use BuildKit secret for GH_TOKEN so it
# never appears in build args or image history. Pass with: --secret id=gh_token,env=GH_TOKEN
# Cache deps before building and copying source. Use BuildKit secret for GIT_ACCESS_TOKEN so it
# never appears in build args or image history. Pass with: --secret id=gh_token,env=GIT_ACCESS_TOKEN

Copilot uses AI. Check for mistakes.
RUN --mount=type=secret,id=gh_token \
if [ -f /run/secrets/gh_token ] && [ -s /run/secrets/gh_token ]; then \
Comment on lines +19 to +20
Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RUN --mount=type=secret requires BuildKit. The repo’s make docker-build target currently uses plain docker build and only mentions BuildKit for cross-platform builds; with this change, local builds will fail unless BuildKit is enabled. Consider documenting this requirement (or updating the Makefile/README) so developers don’t hit an unexpected build error.

Copilot uses AI. Check for mistakes.
token=$(cat /run/secrets/gh_token); \
git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"; \
fi && \
Comment on lines +20 to +23
Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes the token optional (only configures git if the secret file exists). Since go env -w GOPRIVATE=${PRIVATE_REPO_HOST} is always set, builds that need private deps will now fail later with a less actionable error. Consider failing fast with a clear message when /run/secrets/gh_token is missing/empty (or when private deps are detected), and also trim trailing newlines from the secret value before embedding it in the URL to avoid subtle auth failures.

Suggested change
if [ -f /run/secrets/gh_token ] && [ -s /run/secrets/gh_token ]; then \
token=$(cat /run/secrets/gh_token); \
git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"; \
fi && \
if [ ! -f /run/secrets/gh_token ]; then \
echo "error: /run/secrets/gh_token is required to download private Go modules from ${PRIVATE_REPO_HOST}" >&2; \
exit 1; \
fi; \
token=$(tr -d '\n' < /run/secrets/gh_token); \
if [ -z "$token" ]; then \
echo "error: /run/secrets/gh_token is empty; cannot authenticate to ${PRIVATE_REPO_HOST}" >&2; \
exit 1; \
fi; \
git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}" && \

Copilot uses AI. Check for mistakes.
go mod download && \
rm -f /root/.gitconfig

# Copy the go source
COPY cmd/main.go cmd/main.go
Expand Down